Hevy
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a straightforward Hevy CLI instruction guide, but users should notice it relies on an undeclared Hevy API key and can create or update fitness-account data.
This skill appears purpose-aligned for managing Hevy fitness data. Before installing or using it, make sure you have the legitimate Hevy CLI installed, provide the API key through a controlled environment variable, and review any create or update command before it changes your account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create inaccurate workouts or modify routines in the user's Hevy account.
The skill documents commands that can create or update data in the user's Hevy account. This matches the stated purpose, but these are account-changing actions.
hevy workouts create --title TEXT ... hevy workouts update <workout-id> ... hevy routines create --title TEXT ... hevy routines update <routine-id> ...
Before running create or update commands, confirm the target IDs, dates, titles, and exercise JSON with the user.
The agent will need access to a Hevy API key to read or change the user's Hevy fitness data.
The skill requires a Hevy API key for account access, but the registry metadata lists no required environment variables or primary credential.
Requires `HEVY_API_KEY` env var to be set.
Provide only a Hevy API key intended for this use, prefer an environment variable over placing the key in command text, and revoke the key if no longer needed.
Users must already have the correct Hevy CLI installed; otherwise the agent may fail or use whatever `hevy` executable is on the system path.
The skill depends on an external `hevy` CLI, but the provided install data says there is no install spec and no required binaries are declared.
Use the `hevy` CLI to interact with Hevy fitness app data.
Install the Hevy CLI only from a trusted source and verify which `hevy` executable will be used before granting it API-key access.